What Is Auditing?

Auditing is the collecting of data about the use of system resources. The
audit data provides a record of security-related system events. This data can then
be used to assign responsibility for actions that take place on a host.
Successful auditing starts with two security features: identification and authentication. At each login,
after a user supplies a user name and PAM authentication succeeds, a unique
and immutable audit user ID is generated and associated with the user, and a unique
audit session ID is generated and associated with the user's process. The audit
session ID is inherited by every process that is started during that login
session. When a user switches to another user, all user actions are tracked
with the same audit user ID. For more details about switching identity, see
the su(1M) man page. Note that by default, certain actions such as booting
and shutting down the system are always audited.

The audit service makes the following possible:

Monitoring security-relevant events that take place on the host

Recording the events in a network-wide audit trail

Detecting misuse or unauthorized activity

Reviewing patterns of access and the access histories of individuals and objects

Discovering attempts to bypass the protection mechanisms

Discovering extended use of privilege that occurs when a user changes identity